Bitcoin Market Manipulation Exposed On Mt. Gox?

Interesting blog post from a guy who analyzed the leaked Mt. Gox transactions and uncovered what seems to be clear evidence of a coordinated (and
successful) effort to artificially inflate the price of Bitcoin in addition to wholesale, automated theft. In this first post, I'll provide a little
background for those unfamiliar with Mt.Gox, the November explosion in Bitcoin value and the events earlier this year involving Mt. Gox.

Mt. Gox

The 28-year-old Karpeles was born in France, but after spending some time in Israel, he settled down in Japan. There he got married, posted cat
videos and became a father. In 2011, he acquired the Mt. Gox exchange in from an American entrepreneur named Jed McCaleb.

McCaleb had registered the Mtgox.com web domain in 2007 with the idea of turning it into a trading site for the wildly popular Magic: The Gathering
game cards. He never followed through on that idea, but in late 2010, McCaleb decided to repurpose the domain as a bitcoin exchange. The idea was
simple: he’d provide a single place to connect bitcoin buyers and sellers. But soon, McCaleb was getting wires for tens of thousands of dollars and,
realizing he was in over his head, he sold the site to Karpeles, an avid programmer, foodie, and bitcoin enthusiast who called himself Magicaltux in
online forums.

Karpeles soon set about rewriting the site’s back-end software, eventually turning it into the world’s most popular bitcoin exchange.

The below chart shows the median price for Bitcoin on Mt. Gox for the last year, ending with the exchange's closure.

Excerpting myself from two threads in early November.

As I write this, BTC is trading on Mt.Gox at $433, down from today's high of $446 but still up $60 from 48 hours ago.
...
CNN Money, the Washington Post, and Forbes contend that it's Chinese investment in BTC. The Forbes article leaves the distinct impression that it was
BTC China, now the largest BTC exchange on the planet, eliminating it's trading fees in September that fueled the boom.

Looking at this BTC China chart, it seems that prices tracked pretty evenly with Mt.Gox, BTC-E, etc. It bears mention that the October 2nd
announcement by the FBI of the arrest of Silk Road founder Ross Ulbricht would seem to be responsible for the sharp dip in prices on the same day.

Bitcoin made headlines on Nov. 29 as the price of a single coin hit an all-time high. Mt. Gox one of the original and biggest bitcoin exchanges,
based in Tokyo, recorded the high at $1,242 per coin. For comparison, during the same day spot gold prices hit a session low of $1,240 per
ounce.

The "Hack" and Bankruptcy

Its collapse into bankruptcy last week — and the disappearance of $460 million, apparently stolen by hackers, and another $27.4 million missing
from its bank accounts — came as little surprise to people who had knowledge of the Tokyo-based company’s inner workings. The company, these
insiders say, was largely a reflection of its CEO and majority stake holder, Mark Karpeles, a man who was more of a computer coder than a chief
executive and yet was sometimes distracted even from his technical duties when they were most needed. “Mark liked the idea of being CEO, but the
day-to-day reality bored him,” says one Mt. Gox insider, who spoke on condition of anonymity.

Last week, after a leaked corporate document said that hackers had raided the Mt. Gox exchange, Karpeles confirmed that a huge portion of the money
controlled by the company was gone. “We had weaknesses in our system, and our bitcoins vanished. We’ve caused trouble and inconvenience to many
people, and I feel deeply sorry for what has happened,” Karpeles said, speaking at a Tokyo press conference called to announce the company’s
bankruptcy. This would be the second time the exchange was hacked. In June 2011, attackers lifted the equivalent of $8.75 million.

The hackers also posted a 716 megabyte file to Karpeles’ personal website that they said comprised stolen data from Mt. Gox’s servers. It
appears to include an Excel spreadsheet of over a million trades, a file that purports to show the company’s balances in eighteen difference
currencies, the backoffice application for some sort of administrative access to the databases of Mt. Gox’s parent company Tibanne Limited, a
screenshot of the hackers’ access to those databases, a list of Mark Karpeles’ home addresses and Karpeles’ personal CV.

Anonymous hackers have defaced Mt.Gox CEO Mark Karpeles’ blog and have uploaded a data dump of customer data that, according to users with
accounts on the site, is accurate. A Reddit user created an Excel spreadsheet [mirror] of anonymized user accounts with balances, and many current
Mt.Gox users have found their balances present.

Somewhere in December 2013, a number of traders including myself began noticing suspicious bot behavior on Mt. Gox. Basically, a random number
between 10 and 20 bitcoin would be bought every 5-10 minutes, non-stop, for at least a month on end until the end of January. The bot was dubbed
“Willy” at some point,

The blog's author claims he was able to tie the activity of multiple accounts together using anomalous account data:

I noticed here that all of these accounts had one thing in common; the User_Country and User_State field both had “??” as entry. This was
unusual. Normally, these fields contained country/state FIPS codes (for verified users?), nothing (unverified users?), or “!!” (users who failed
verification or suspicious users?).

So I went back and gathered all of these “??” users, aggregated their trades, and summed the amount of BTC that each of these accounts bought
(they never performed a single sell). They seamlessly connected to each other: when one user became inactive, the next became active usually within a
few hours. Their trading activity went back all the way to September 27th.

At this point, I noticed that the first Willy account (created on September 27th) unlike all the others had some crazy high user ID: 807884, even
though regular accounts at that point only went up to 650000 or so. So I went looking for other unusually high user IDs within that month, and lo and
behold, there was another time-traveller account with an ID of 698630 – and this account, after being active for close to 8 months, became
completely inactive just 7 hours before the first Willy account became active

He nicknamed the older account "Markus" and analyzing his transactions, stumbled upon something even more incriminating:

Account 698630 actually had a registered country and state: “JP”, “40″ – the FIPS code for Tokyo, Japan. So I went and compiled all
trades for this account. For convenience, I will dub this user “Markus”.

There were several peculiar things about Markus. First, its fees paid were always 0. Second, its fiat spent when buying coins was all over the
place, with seemingly completely random prices paid per bitcoin.

regardless of the volume of BTC bought, the value paid is always $15.13. This is speculation, but perhaps for Markus, the “Money” spent field
is in fact empty, and the program that generates the trading logs simply takes whatever value was already there before. In other words, Markus is
somehow buying tons of BTC without spending a dime. Interestingly, Markus also sells every now and then, and for some reason the price values are
correct this case.

Sell 31k BTC, receive $4 million, re-buy 15k BTC, spend nothing. Awesome! Here is the corresponding chart for this day, just to show that these
trades (from 8:00 to 10:00 am) actually occurred “on-market”, and had a significant effect on the price.

However, none of the Willy accounts until November appear in the leaked balance summary at the time of collapse, and there seem to be no
corresponding withdrawals for those amounts of bitcoin bought. Markus does have a balance: around 20 BTC and small amounts of EUR, JPY and PLN. No USD
balance. In other words, only currencies for which Mt. Gox actively controlled bank accounts.

Claims & Conclusions

The gist of the authors conclusion is that either a hacker or Mark Karpeles himself, was gaming the system and inflating the value of Bitcoin on
Mt.Gox through thousands of small, automated purchases from accounts that had been edited from one set of the transaction logs and even worse, it
appears that payment for this Bitcoin was in effect embezzled from Mt. Gox and ultimately, from it's customer's accounts.

So basically, each time, (1) an account was created, (2) the account spent some very exact amount of USD to market-buy coins ($2,500,000 was most
common), (3) a new account was created very shortly after. Repeat. In total, a staggering ~$112 million was spent to buy close to 270,000 BTC – the
bulk of which was bought in November.

Upon closer inspection, it turns out the full and anonymized versions of all the logs differ in two, and ONLY two ways:

User hashes and country/state codes are removed.
Markus’ out-of-place user ID (698630) is changed to a small number (634), and its strange fixed “Money” values are corrected to the expected
values.
Interesting detail: from the 2011 leaked account list, the user with ID 634 has username “MagicalTux”

Combined with Willy’s buys, that’s around 570,000 BTC in total. Although there are no trading logs after November, Willy was observed by
multiple traders to be active for the most part of December until the end of January as well. Although this was at a slower, more consistent pace
(around 2000 BTC per day), it should roughly add up to another 80,000 BTC or so bought. So that’s a total that’s suspiciously close to the
supposedly lost ~650,000 BTC.

A few words of caution. I have not analyzed this data myself. The files were allegedly stolen and disseminated to the public by a "hacker." Parts of
the data have purportedly been independently verified by a number of users but the provenance is questionable to say the least. Assuming the data is
genuine and properly interpreted, there are at least three possible conclusions that could be reasonably drawn and they're not mutually exclusive:

1. An unknown individual or group had comprised Mt. Gox security and was engaging in theft and market manipulation over the course of several
months.
2. Mark Karpeles and possibly others were engaging in a coordinated market manipulation and embezzlement and are blaming their actions on an
intruder.
3. Unbeknownst to Mark Karpeles, someone from within his organization was responsible.

The blog post of course goes into greater detail and covers topics including the effect on Bitcoin price outside of Mt. Gox and the April 2013 Bitcoin
bubble. My own experiences in cryptocurrency, Mt. Gox and other exchanges leave me a bit jaded, but I find it entirely reasonable that it was an
inside job and Mark Karpeles was behind it.

Brief PS regarding Mark Karpeles's claims and refutation from two Swiss researchers at ETH Zurich University in Switzerland.

On Wednesday, Tokyo-based Bitcoin exchange Mt. Gox “reassured everyone” that its CEO Mark Karpeles was still in Japan and working to “ find
a solution to our recent issues.” It turns out that solution is filing for bankruptcy. Having halted withdrawals for over a month, and complaining
about a “transaction malleability” Bitcoin bug that let users steal coins, the exchange now says its Bitcoin loss is higher than the 744,000
figure cited in a “crisis plan” leaked this week. Mt. Gox says 750,000 of its customers’ Bitcoins are gone and more than 100,000 of its own. At
Bitcoin’s current surprising stable $550 – $570 value, and more than 100,000 of its own coins, that’s around $475 million. Ouch.

In Bitcoin, transaction malleability describes the fact that the signatures that prove the ownership of bitcoins being transferred in a
transaction do not provide any integrity guarantee for the signatures themselves. This allows an attacker to mount a malleability attack in which it
intercepts, modifies, and rebroadcasts a transaction, causing the transaction issuer to believe that the original transaction was not confirmed. In
February 2014 MtGox, once the largest Bitcoin exchange, closed and filed for bankruptcy claiming that attackers used malleability attacks to drain its
accounts. In this work we use traces of the Bitcoin network for over a year preceding the filing to show that, while the problem is real, there was no
widespread use of malleability attacks before the closure of MtGox

An analysis by Swiss researchers of bitcoin transaction data suggests that bankrupt exchange Mt. Gox, which blamed a bug in bitcoin itself for the
loss of millions in the virtual currency, could in fact have only lost a tiny fraction of that amount.

But the data show that only a few hundred occurred while the exchange was actually operating normally. The vast majority occurred after Mt. Gox
shut down withdrawals on Feb. 8 — so the attacks couldn't actually target it. In fact, it appears to be the exchange's announcement about the
vulnerability that caused the wave of attacks to occur.

What's more, of the hundreds of attacks that did target Mt. Gox while it was operational, less than a quarter appeared to have actually worked. The
final tally, by the researcher's reckoning: 386 bitcoins, or about $203,000.

This content community relies on user-generated content from our member contributors. The opinions of our members are not those of site ownership who maintains strict editorial agnosticism and simply provides a collaborative venue for free expression.